Java remember login information

Question

What is a secure way to store login information? I have a swing application that requires users to login to an online account, currently logging in works, but I would like to be able to store the users login information on their computer if possible. There are a few ways I have thought of to do this:

Save the login information in a file
Save the login information in a database

What is the best way to do this? Does Java have something built in to do this?

Why do you want them to store it on their computer? Isn't extending the life of the session an option? — Daniel Kaplan, Jan 21 '13 at 18:10
You can put them in an encrypted file, but it is a mere palliative since the encryption key has to be stored somewhere, e.g. as a constant in the code, making it useless to encrypt that data. The problem has no solution. — gd1, Jan 21 '13 at 18:12
Yea, don't do this. Extend the session as described by @DanielKaplan. Remember also that even this is only appropriate for non-critical security applications. — Perception, Jan 21 '13 at 18:16
@RyanNaddy : is your swing application deployed on user's machine? — Nandkumar Tekale, Jan 21 '13 at 18:23
@NandkumarTekale Yes. I did find the "Preferences" API though. Is this good to use? — Get Off My Lawn, Jan 21 '13 at 18:26
Use this API, however what you should store to the local file is a session identifier that the server generates and sends to client on successful login (Could be random, no need to contain user's password or hash in it). When the user logs-out this session identifier should not anymore be acceptable by the server. — Marinos An, Jan 21 '13 at 18:33
@MarinosAn we still don't know what kind of server we are dealing with. We only have client-side knowledge(that it is a Swing APP) — Aniket Inge, Jan 21 '13 at 18:37
@Aniket - you need to nail down the server technology you will be using. Without it the concept of a 'login' is pretty much useless. — Perception, Jan 21 '13 at 19:00
For all we know, the server side technology could be, perhaps, a mail server or a chat server, or maybe even a News server(does anyone use that anymore?).. assuming it to be a webserver is naive(not saying you assumed it to be a webserver, just generally speaking) @Perception — Aniket Inge, Jan 21 '13 at 19:02
@Aniket - assuming anything about the server technology would be naive and misguided, unless the OP chimes in. You can safely ignore my comment, it was meant for the OP, not for you. — Perception, Jan 21 '13 at 19:07
@Perception It is in fact a web server. The application makes requests to the API the api then sends back an XML file. This shouldn't matter in any case, because all I would like to do is just remember what the application used to log in the last time then load that into the username/password fields so the user can just press the login button without having to type anything. — Get Off My Lawn, Jan 21 '13 at 19:46
@RyanNaddy - I gather its safe to assume, that this is a third party service you are calling? And you want to store the users credentials to that third party service? In any case, theres some interesting information that could be of use in [this StackOverflow post](http://stackoverflow.com/questions/225838/protecting-user-passwords-in-desktop-applications-rev-2). — Perception, Jan 21 '13 at 19:58

score 2 · Answer 1 · edited May 23 '17 at 12:21

2

If you really do want to store login information onto the user's computer, .. other than what Daniel Kaplan mentioned, an old-school way is to store it in cookies.

Other way is to store into Web SQL although its Javascript(HTML5) centric and the client-side support for it is still bleak.

EDIT -- Since its a swing application

The other safer way is to store it in SQLite with MD5 encrypted password

If you don't really care about security, store it into XML files or Configuration Files or even, CSV file..

edited May 23 '17 at 12:21

Community

1
1

answered Jan 21 '13 at 18:13

Aniket Inge

25,375
5
50
78

I used the "Preferences" API, which I believe is like an XML file. I did get it working, and I didn't have to install a Database – Get Off My Lawn Jan 21 '13 at 18:33
@RyanNaddy that's good.. so is there something else you expected then? – Aniket Inge Jan 21 '13 at 18:34

Nandkumar Tekale · Answer 2 · 2013-01-21T18:31:26.747

1

As your application is in swing, you can save the login information in a file but in encrypted form. Using database does not make sense because you won't want to install database where your application will be deployed.

If your app already access data from database on user's machine then saving user's credentials in database would be preferred rather than saving those in files.

edited Jan 21 '13 at 18:31

answered Jan 21 '13 at 18:20

Nandkumar Tekale

16,024
8
58
85

score 0 · Answer 3 · answered Jan 21 '13 at 18:19

0

If you mean user name information - no problem to store it in the database.

If you mean password, than normally it is not stored in a plain form anywhere.

What is stored is its hash (which is considered impossible to turn back to password) generated by some (better - old proven) algorithm.

When someone is trying to login, the system takes the entered password, turns it to hash (with the same algorithm) and compares with what there is in the database (or else where).

answered Jan 21 '13 at 18:19

Alex Kreutznaer

1,170
8
18

what if the client side has no RDBMS ? – Aniket Inge Jan 21 '13 at 18:20
No problem - store in a file, but you have to make it sure that there is no unauthorized access to that file. – Alex Kreutznaer Jan 21 '13 at 18:21
I mean store HASH in the file. – Alex Kreutznaer Jan 21 '13 at 18:22
By the way, that's what Windows does. – Alex Kreutznaer Jan 21 '13 at 18:23
but windows keeps the SAM module file OPEN, allowing NO modification whatsoever. – Aniket Inge Jan 21 '13 at 18:23
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/23109/discussion-between-alex-kreutznaer-and-aniket) – Alex Kreutznaer Jan 21 '13 at 18:33

score 0 · Accepted Answer · answered Jan 24 '13 at 15:56

I decided to use the Preferences API, to store and retrieve data
http://docs.oracle.com/javase/7/docs/api/java/util/prefs/Preferences.html

Here is a rough example of the final code:

public class Login extends javax.swing.JDialog{
    // Get saved info and set the textbox text
    public Login(){
        String userName = pref.get("user", "");
        if(!userName.equals("")){
            this.user.setText(userName);
        }
        String passName = pref.get("pass", "");
        if(!passName.equals("")){
            this.pass.setText(passName);
        }
    }

    // Run on login button click
    public void login(){
        String p = new String(pass.getPassword());
        DoLogin log = new DoLogin(user.getText(), p);
        log.execute();
    }

    // Process in background
    public class DoLogin extends SwingWorker{
        public void done(){
            // On successfull login save user data
            pref.put("user", this.strUser);
            pref.put("pass", this.strPass);
        }

        public String doInBackground(){
            // Process login
        }
    }
}

Java remember login information

4 Answers4